github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-25 22:32:07 +00:00
Code Issues Projects Releases Wiki Activity

Add user_known_mount_in_privileged_containers

Browse Source 
This adds a new macro `user_known_mount_in_privileged_containers` which
allows the easier user-defined exclusions for the "Mount Launched in
Privileged Container" rule.

This would be cleaner with the exclusions feature, but this feature
is not used in the default ruleset yet, if I understand correctly.

Signed-off-by: Matt Moyer <mmoyer@figma.com>
This commit is contained in:
Matt Moyer 2022-03-09 21:59:41 -06:00 committed by poiana
parent 4819748ab0
commit 36acd6dfbf
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -3065,6 +3065,9 @@
- macro: mount_info
condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h"))
- macro: user_known_mount_in_privileged_containers
condition: (never_true)
- rule: Mount Launched in Privileged Container
desc: Detect file system mount happened inside a privileged container which might lead to container escape.
condition: >
@ -3072,6 +3075,7 @@
and container.privileged=true
and proc.name=mount
and not mount_info
and not user_known_mount_in_privileged_containers
output: Mount was executed inside a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: WARNING
tags: [container, cis, mitre_lateral_movement]